Wearable devices aren’t quite as ubiquitous as smartphones – at least not yet. IDC predicts that the wearables market is expected to grow at an annual rate of 45 percent between now and 2019. Fitness bands are the most popular wearables at the moment, but smart watches and other technologies are expected to increase over the next few years. We can expect wearables to play a large role in health care and sports training. Within the business setting, wearables can be used for authentication purposes or to assist in different hands-on or machine-based tasks, including interfacing with computers and other smart devices.
The growth of wearables, of course, means more devices connecting to the company network, increasing security risks. Users of wearables are already voicing concern that hackers want to steal the data generated and transmitted. But IT and security leaders need to be concerned, too. Sam Rehman, CTO of Arxan Technologies, stated:
Wearable devices may be putting many enterprise security professionals on their heels; they are the newest challenge in a BYOD workplace. These devices increase the attack surface and could become vulnerable targets that could allow unauthorized access to an enterprise’s sensitive information. Defining tight enterprise security policies for the use of wearables and their access to corporate data is essential.
Let’s take a look at what security professionals think are the most serious weaknesses that wearable computing devices are introducing into networks.
Serious Wearable Security Weakness
Click through for 10 ways smartwatches and other wearable devices put your network security in jeopardy.
Wearable devices will generally need to be connected to a smartphone, tablet or computer. So they will be plugged into a corporate laptop or desktop through a USB port, as your phone is today, and thus could introduce viruses or malware into the company’s system. This is a backdoor to the company’s network via an employee’s wrist or headwear, according to security professionals at INSIDE Secure. This gives hackers the chance to download private corporate information, remotely control the wearable, or allow unauthorized access into physical locations.
Wearable devices could change the dynamics of insider threats when it comes to corporate espionage. Cameras and microphones on wearables can be used to record private conversations or meetings involving discussions of intellectual property, photograph secret documents or prototypes of new products, or share information online. Yes, all of this can be done with a smartphone, but wearables do it more discreetly. Someone would notice if a smartphone was put on the table and set to record, but not a smartwatch concealed by a shirt sleeve.
Everything an insider can do with cameras and microphones can be done by a hacker if malware is installed, according to Chris Camejo, director of threat and vulnerability analysis for NTT Com Security. We’ve seen this kind of recording capability built into smartphone malware packages, and it’s not a stretch to imagine it will be incorporated into malware for wearable devices when that type of malware starts to appear in the wild.
Especially important is the need for enterprises to only permit the use of wearable devices that have hardened application code and advanced key protection measures, said Sam Rehman, CTO of Arxan Technologies. This is critical in order to defend against reverse-engineering and tampering of an application’s code. Without such protections, applications on the wearable devices could be easily manipulated to spy on the enterprise, steal sensitive corporate data, and do other nefarious things.
Smartphone Data Access
Wearables are also privy to much of the information stored on smartphones, which in turn are often connected to corporate email and other sensitive systems, Camejo said. These devices therefore present all of the same risks of data loss that a smartphone already presents, including adding another vector for malware to enter a network, allowing attackers to intercept two-factor authentication codes for the purposes of financial fraud, and just plain spying on all of the sensitive communications that happen via email.
Many BYOD policies don’t include wearables yet. That means there is an inability to manage and monitor these devices in the same way an IT department would a smartphone, tablet or laptop. As Amit Sethi, senior principal consultant at Cigital pointed out, without having some sort of policy focused on wearables, IT teams may have no control over whether the user has any type of authentication or other security features enabled on the wearable device. Also, IT generally cannot wipe any sensitive data cached on the devices remotely if they are lost or stolen.
The limited user interfaces on these devices make it challenging to add security features to apps running on them. Sethi posed this question: If you are developing an enterprise app for a wearable device and want to authenticate the user before allowing him/her to do something sensitive, how do you do that without the authentication step becoming a nuisance? Usability generally wins over security. Adding security features to apps running on wearable devices may make using the app more difficult for the user than simply pulling out their smartphones.
Limited Platform Protections
Wearable devices generally have small batteries, limited memory, and several other constraints, Sethi stated. Whenever we have a constrained environment, we see a lack of platform protections that could be costly in terms of resource usage, and weak and proprietary cryptographic protocols because the strong standard protocols are too slow, etc. Data being handled by the wearable devices is often at risk as a result – both when it is in transit between a smartphone and the wearable device, and when it is cached on the wearable device.
Bluetooth and Wi-Fi communication between wearable devices and paired smartphones presents a significant area of vulnerability, according to Paula Skokowski, security expert with Accellion. Although wireless connections have improved, hackers are always coming up with new ways to break in and intercept data. A lack of built-in PIN protection or security fingerprinting provides hackers, through persistent trial and error, the opportunity to attempt a variety of username and password combinations until they crack the code and are able to access content stored on devices.
Lack of Compliance
Wearables may not meet compliance regulations, for instance, when involving health-related data. As many companies are now turning to wearables to track fitness output or to monitor overall health (like requiring the use of a heart monitor function on the fitness tracker) to share with insurance companies, the question to be addressed is whether or not the transmission of this data follows HIPAA compliance laws. Similar questions can be asked of using smart devices and payment systems. Add to this that much of this data transmitted isn’t encrypted, and your company could be looking at serious compliance failures.